Is it that compliance doesn’t work or do we just not have the right requirements yet?
Posted by: gsmckee4 in GeneralA discussion got started on Twitter two weeks ago about whether or not complying with standards and regulations such as PCI, HIPAA, FISMA, ISO 27001, etc worked when it comes to securing data. A good friend of mine, Mike Smith of the Guerilla CISO Blog, offered the point of view that compliance works, it is just that we don’t have the right requirements. It was my point of view that compliance doesn’t work and thus the point/counterpoint began.
Let me say that Mike and I are very good friends and we respect each other’s opinion and point of view. That was good because we were able to focus on attacking each other’s arguments and the conversation didn’t degrade into the usual “you don’t get it and you should just listen to me because I’ve been doing this for x number of years and know what I’m talking about” that we regrettably so often see now a days. Let me also say that Mike and I often like to play devil’s advocate in order to explore both sides of an argument. I can say that what I’m about to relay, I honestly believe but I make no assertion with Mike’s point of view. You’ll have to ask him if he holds that position or if he was playing devil’s advocate with me. In the end it really doesn’t matter all that much.
We took the discussion off Twitter and onto email because it is hard to develop and present arguments in the 140 character sound bites that are Twitter. What I’m about to summarize is an email that I send laying out what I believe to be the salient points and my contention that compliance doesn’t work. Once this is over please feel free to join the discussion – dissenting points of view are welcome.
Point:
Compliance does work it is just that we haven’t done a good enough job in setting the requirements (the required elements of standards and regulations such as PCI, FISMA, ISO 27001, COBIT, etc). Since these requirements are not directly translatable into buildable/testable requirements then they are not adequate and that is why compliance fails. If our requirements were buildable and testable then achieving compliance would work.
Counter Point:
Compliance doesn’t work because it is based on the assumption that achieving a given set of requirements will result in a secure system (or environment). For example, installing a web application firewall or intrusion detection system will not necessarily help to secure your environment if they are not configured properly. Standards and Regulations are often written to address the widest audience possible. As a result many, if not all, of the requirements need to be tailored for each specific environment. By refining the requirements you effectively reduce the applicable audience and by extension increase the number of variances that need to occur in order to widely apply the standard or regulation. As a result you’ll still be struggling with the same issues just from a different direction.
In order for something to be considered a standard it must meet the balance between being applicable to a majority of its audience and be actionable. If it is too broad then it can’t be a standard because it doesn’t provide value, if it is too narrow then it can’t be a standard because its audience is too small (i.e. it is not widely applicable). So is it really a problem with standards? I don’t think so.
The main problem with the compliance mentality is that it has you striving to achieve a requirement which, while related to the goal, is not the actual goal of what you are trying to accomplish. The goal that you are trying to secure information with a reasonable level of security controls. A reasonable level of security involves much more than achieving a set of requirements within a standard. It involves fully understanding the information lifecycle and choosing controls which correspond to how information is used and how critical it is to your organization. By definition, standards don’t offer that.
Now don’t get me wrong, I’m not advocating that we throw out standards such as PCI, FISMA, HIPAA, ISO, etc. What I am saying is that we need to view them in the proper perspective and for what they are as opposed to what they have been portrayed as. Standards and regulations can and do provide focus and some of the necessary elements to achieve a reasonable level of security but they do not make an organization secure in and of themselves.
Is the answer to create more refined standards and regulations? I don’t think so. By doing so you would only make them less applicable. What we do need to do is make sure that our approach to security not only incorporates the existing standards and regulations but goes beyond them is search of a reasonable level of security control. (Whether a truly secure system is even possible is another topic that we can debate.) Information Security is a journey, it isn’t a destination. We need to foster an approach that values responsibility and reasonableness over blind compliance.
Entries (RSS)
I will have to side with Mckee on this one. It has been my experience that the primary accomplishment of compliance endeavors is to keep the notion of security and risk management at the forefront of both technology and business management within an organization. I’ve worked in and around HIPAA, FISMA, and PCI, and they’re all as Mckee pointed out high level and nebulous – ultimately making them pointless.
To pick on one, just as a for-instance,
PCI DSS 2.2 (v1.2) states, “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.”
This is impractical and not useful. It’s so over-simplified that it’s all but meaningless. Mckee is right in that ensuring that an organization has “a process or architecture” is not the same thing as ensuring that that process or architecture is relevant and effective. That’s the fundamental problem with FISMA. Do you have an incident response plan or a disaster recovery plan? Yes. Well then you’re solid. Nevermind that your incident response plan consists of running anti-malware software and calling it a day, or your disaster recovery plan is comprised of user guides and installation manuals from 6 versions back.
Compliance efforts are good, though – even though much of the work is really just spinning wheels to appease some over-arching governing body. Whether it’s the Feds for FISMA, or VISA for PCI, it’s easy to meet the letter of the law of compliance and still have an insufficient and flagrantly deficient security program/posture.
Again, to me, the biggest benefit of compliance mandates is that it keeps information security and privacy practices on everybody’s mind.
One last thought.
IMO, the focus of securing information HAS to be on the users and information handlers. So much is made of configuration and policy and procedure. All of which is necessary and valuable. However, you’re only as good as your weakest link. Steve Riley of MS (http://blogs.technet.com/steriley/) made a good point when he wrote, “I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it. Spam would wither away if everyone just ignored it.”
The point is that if people wised up and understood the risks, threats, and attack vectors, compliance would come naturally, and the organization’s security posture would be greatly enhanced. Risk is more efficiently reduced by focusing more on our users and less on our compliance.
Chris – I’m with you and G on this one too. Risk is the key to getting security. Regular folk understand there are risks to driving with bald tires and a reasonable person will get his tires changed thus decreasing his risk of having a blow and possible accident. I don’t think human beings are sufficiently paranoid about cyber security risks, because they seem to always happen to someone else or there has not been an event siginificant enough to make us go I won’t accept another piece of software unless it is guaranteed to have a secure confugration out the box. I really do not like the FUD method, but certain paranoia is what kept us safe during our development as humans and some paranoia will help keep us safe as we navigate through cyber space.